Re: [Isolated-exec-devel] Related Work

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Todd,
        I haven't seen this paper. It is interesting. However, for this to work we should have a sandboxing policy of the downloaded file before installing it into our VM sandbox to detect control hijacking. I see this more like a protection for already installed files that has a known behavior than a zero day attack protection. Did I get it right?

Regards,
Pablo

>-----Original Message-----
>From: Todd Deshane [mailto:des...@gm...]
>Sent: Wednesday, April 22, 2009 1:44 PM
>To: iso...@li...
>Subject: [Isolated-exec-devel] Related Work
>
>Hi,
>
>I just wanted to let you know about a paper that I ran across, in case
>you hadn't see it yet:
>
>Accurate Application-Specific Sandboxing for Win32/Intel Binaries
>
>Wei Li Lap-chung Lam Tzi-cker Chiueh
>      Computer Science Department
>        Stony Brook University
>
>Abstract:
>Comparing the system call sequence of a network application against a
>sandboxing policy is a popular approach to detecting control-hijacking
>attack, in which the attacker exploits such software vulnerabilities
>as buffer overflow to take over the control of a victim application
>and possibly the underlying machine. The long-standing technical
>barrier to the acceptance of this system call monitoring approach is
>how to derive accurate sandboxing policies for Windows applications
>whose source code is unavailable. In fact, many commercial computer
>security companies take advantage of this fact and fashion a business
>model in which their users have to pay a subscription fee to receive
>periodic updates on the application sandboxing policies, much like
>anti-virus signatures. This paper describes the design, implementation
>and evaluation of a sandboxing system called BASS that can
>automatically extract a highly accurate application-specific
>sandboxing policy from a Win32/X86 binary, and enforce the extracted
>policy at run time with low performance overhead. BASS is built on a
>binary interpretation and analysis infrastructure called BIRD, which
>can handle application binaries with dynamically linked libraries,
>exception handlers and multi-threading, and has been shown to work
>correctly for a large number of commercially distributed Windowsbased
>network applications, including IIS and Apache. The throughput and
>latency penalty of BASS for all the applications we have tested except
>one is under 8%.
>
>Cheers,
>Todd
>
>P.S. I still hope to get back to testing and development on
>isolated-exec, but have still been busy with my core research and
>projects lately.
>
>--
>Todd Deshane
>http://todddeshane.net
>http://runningxen.com
>
>------------------------------------------------------------------------
>------
>Stay on top of everything new and different, both inside and
>around Java (TM) technology - register by April 22, and save
>$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>300 plus technical and hands-on sessions. Register today.
>Use priority code J9JMT32. http://p.sf.net/sfu/p
>_______________________________________________
>Isolated-exec-devel mailing list
>Iso...@li...
>https://lists.sourceforge.net/lists/listinfo/isolated-exec-devel